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IN THE CLAIMS: 

Claim 1 (Previously Presented): A method executed within a processing unit for 
filtering packets, comprising the steps of: 

receiving a packet that includes an encrypted identifier and an unencrypted 
remainder of said packet, for verifying identity of a first device that sent said packet; 

authenticating said identifier; 

determining whether to forward said packet to a second device based on result of 
said authenticating, and a policy relative to said source device; and 

forwarding said packet to said second device in accordance with said 
determination. 

Claim 2 (Previously Presented): The method of claim 1, wherein said step of 
determining comprises: 

comparing authenticated identifier yielded by said step of authenticating to a list 
of identifiers; 

retrieving at least one policy rule relative to said authenticated identifier; 
determining whether to send said packet to said second device in accordance with 
said policy rule. 

Claim 3 (Canceled). 

Claim 4 (Original): The method of claim 1, wherein said authenticating is performed in 
accordance with IPSEC standards. 

Claim 5 (Original): The method of claim 1, wherein said authenticating comprises: 

retrieving a pointer to a security association from an authentication header from 
said packet; 

retrieving a key associated with said security association; and 
determining whether said packet is authentic using said key. 
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Claim 6 (Previously Presented): The method of claim 5, further comprising the step of 
sending a first message to a third device indicating said identifier is not authentic when 
said step of authenticating so determines. 

Claim 7 (Original): The method of claim 5 wherein said authentication header is an 
IPSEC authentication header. 

Claim 8 (Previously Presented): The method of claim 1, wherein said packet is, in 
addition* encrypted, and said method further comprises decrypting said packet prior 
to authenticating. 

Claim 9 (Original): The method of claim 8, wherein said packet is encrypted and 
decrypted using one of group of cryptographic techniques comprising DES, triple 
DES, HMAC and RSA. 

Claim 10 (Previously Presented): The method of claim 1, wherein said policy rule 
is stored in a policy configuration file at said processing unit. 

Claim 11 (Previously Presented): A machine-readable memory whose contents 
cause a computer system to perform packet filtering, by performing the steps of: 

receiving a packet that includes an encrypted identifier for verifying identity of a 
first device that sent said packet, while remainder of said packet unencrypted; 

authenticating said identifier; 

determining whether to forward said packet to a second device based on result of 
said authenticating, and a policy relative to said source device; and 

forwarding said packet to said second device in accordance with said 
determination* 

Claim 12 (Previously Presented): The machine-readable memory of claim 1 1, 
wherein said determining comprises: 

3 

PAGE 519 * RCVD AT 7120/2005 6:47:14 AM [Eastern Daylight Time] k SVR: USPTO-EFXRF-6/25 * DNIS:2738300 * CSID:9734676589 ' DURATION (mm-ss):03-32 



07/20/2005 06:47 9734676589 



HENRY BRENDZEL 



PAGE 



Bcllovin 113031 

comparing authenticated identifier yielded by said step of authenticating to a list 
of identifiers; 

retrieving at least one policy rule relative to said authenticated identifier; 
determining whether to send said packet to said second device in accordance 
! with said comparison and said policy rule. 

Claim 13 (Canceled)* 

Claim 14 (Original): The machine-readable memory of claim 11, wherein said 
authenticating is performed in accordance with IPSEC standards. 

Claim 15 (Original): The machine-readable memory of claim 1 1, wherein said 
authenticating comprises: 

retrieving a pointer to a security association from an authentication header from 
said packet; 

retrieving a key associated with said security association; and determining 
whether said packet is authentic using said key. 

Claim 16 (Previously Presented): The machine-readable memory of claim 15, further 
| comprising the step of sending a first message to a third device indicating said identifier 

i 

| is not authentic when said step of authenticating so determines. 

! 

| Claim 17 (Original): The machine-readable memory of claim 15 wherein said 

j authentication header is an IPSEC authentication header. 

j 

| Claim 18 (Previously Presented): The machine-readable memory of claim 1 1 , wherein 

; said packet is, in addition, encrypted, and said method further comprises decrypting 

| said packet prior to authenticating, 

i 

i 

i 
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Claim 19 (Original): The machine-readable memory of claim 18, wherein said packet is 
encrypted and decrypted using one of group of cryptographic techniques comprising 
DES, triple DES, HMAC and RSA. 

Claim 20 (Previously Presented): The machine-readable memory of claim 11, wherein 
said policy rule is stored in a policy configuration file at said processing unit. 

Claim 21 (Previously Presented): A packet filter for a distributed firewall, comprising: 
an input means coupled to said first network for receiving a data packet from a 

first device, said data packet having an encrypted common host identifier for verifying 

identity of a first device that sent said packet via a decryption process, while remainder of 

said packet unencrypted; 

a first buffer coupled to said input means for storing said received packet; 

a first memory segment containing a list of common host identifiers and at least 

one policy rule; 

a second memory segment for storing a program for decrypting said common host 
identifier, authenticating said common host identifier, and determining whether to send 
said packet to a second device based on said list and said policy rule; 

a processor coupled to said first buffer, said first memory segment and said 
second memory segment for executing said program; and 

an output means coupled to said first buffer for forwarding said compared data 
packet to said second device based on said comparison. 

Claim 22 (Previously Presented): The apparatus of claim 21, further comprising a 
second buffer for storing said compared data packet prior to forwarding said compared 
data packet to the second device. 

Claim 23 (Canceled). 

Claim 24 (Canceled). 



5 

PAGE 719 * RCVD AT 7/20/2005 6:47:14 AM [Eastern Daylight Time] * S VR: USPTO-EFXRF-6/25 * DNIS:2738300 * CSID:9734676589 ' DURATION (mm-ss):03-32 



07/20/2005 06:47 9734676589 HENRY BRENDZEL PAGE 

Bellovin 113031 
Claim 25 (Canceled). 

Claim 26 (Canceled). 

Claim 27 (Canceled). 

Claim 28 (Canceled). 

Claim 2? (Canceled). 

Claim 30 (Canceled). 

Claim 31 (Canceled). 

Claim 32 (New) The method of claim 1 where said identifier relates to hardware. 

Claim 33 (New) The method of claim 1 where said identifier relates to an IP source 
address. 

Claim 34 (New) The method of claim 1 where said receiving a packet is unsolicited. 
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